feat: add forgot password rate limiting#385
Conversation
There was a problem hiding this comment.
Pull request overview
Adds rate limiting to the auth.forgotPassword tRPC mutation, reusing a shared Redis-based limiter and consolidating IP extraction into a common helper used across API and tRPC contexts.
Changes:
- Add
checkForgotPasswordRateLimitand a sharedcheckRateLimithelper insrc/server/utils/ratelimit.ts. - Include
ipin the tRPC context (createContext) and enforce rate limiting inauthRouter.forgotPassword. - Update login to use the shared
getClientIphelper and add unit tests for forgot-password rate limiting.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/unit/server/trpc/routers/auth.test.ts | Adds unit tests validating forgot-password rate limiting behavior in the auth tRPC router |
| tests/unit/app/api/login/route.test.ts | Adjusts ratelimit mocking to preserve non-mocked exports while overriding checkLoginRateLimit |
| src/server/utils/ratelimit.ts | Introduces getClientIp, factors common rate-limit logic, and adds forgot-password limiter |
| src/server/trpc/routers/auth.ts | Enforces forgot-password rate limiting via ctx.ip with a TOO_MANY_REQUESTS error |
| src/server/trpc/index.ts | Extends tRPC context to include ip derived from the incoming request |
| src/app/api/login/route.ts | Replaces inline IP parsing with getClientIp(request) |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| throw new TRPCError({ | ||
| code: "TOO_MANY_REQUESTS", | ||
| message: "Too many requests, please try again later", | ||
| }); | ||
| } |
There was a problem hiding this comment.
Throwing TRPCError with code: "TOO_MANY_REQUESTS" here will be treated like any other tRPC error by the API handler and (currently) gets logged at error level and sent to Sentry (see src/app/api/trpc/[trpc]/route.ts:16-51, where ACCEPTED_ERROR_CODES is empty). For rate-limiting, this can generate high-volume noise during normal throttling or attacks. Consider handling this case so it’s not captured/logged as an error (e.g., add TOO_MANY_REQUESTS to an accepted/ignored list, or adjust the handler/logging strategy for this error code).
No description provided.